This security exploit isn't really an exploit at all and has nothing to do with Abyss Web Server. It's a validation issue that some developers forget to check before deploying their code into production. A simple regular expression can prevent the imagename.gif.php exploit (e.g. \.gif$) from being uploaded to the server via the upload form. See how important form validation is? ;)

Rather, I'd drop all file extensions that have any PHP executable extensions on them (typically just .php, but some people do .php3, even .html. People who want to think they're security gurus but are actually just stupid sometimes try to confuse the end user by making the extensions .asp, .java, .cf, and so on run through PHP. Whatever the case, filter them all).

Additionally, make your your server has short_tags off and asp_tags off and do a str_ireplace on the submitted image to replace <?PHP, <?=. This may break a very rare image, but most of the time will help lock down any issues you may have._________________Portfolio: Robert Lerner